Analysis
-
max time kernel
26s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
09-01-2024 18:48
General
-
Target
e9938f2d916c0fddd8230ac0241c4c42cf55ed5eb58e4b4ab6fb161000817559.exe
-
Size
312KB
-
MD5
f9cd86ed372b9fda0ca24ed082b4a742
-
SHA1
b9a7bc7e10d3a6272acb3646fb31f5f2672e54f0
-
SHA256
e9938f2d916c0fddd8230ac0241c4c42cf55ed5eb58e4b4ab6fb161000817559
-
SHA512
2ef77bf6bfacd8f31c587a4fad9da8e9067abe0dc670764cad020e8bfea68a17ea4483a6878a2a40c195f6c2ab93faa46cf9947440a47ccaeb774db5f823c5dd
-
SSDEEP
3072:fjMaOxcaTL6oaxJ2Hhom98iQ0txmYej1/PXzVHDVN/c5/yiT9laARTYFkc:fqxnLlav2BFKytLk1XXzVjVEDT0Fk
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9938f2d916c0fddd8230ac0241c4c42cf55ed5eb58e4b4ab6fb161000817559.exe"C:\Users\Admin\AppData\Local\Temp\e9938f2d916c0fddd8230ac0241c4c42cf55ed5eb58e4b4ab6fb161000817559.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7CBE.exeC:\Users\Admin\AppData\Local\Temp\7CBE.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\k759ciu9kmg_1.exe/suac3⤵
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\K759CI~1.EXE" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\823B.exeC:\Users\Admin\AppData\Local\Temp\823B.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4.4MB
-
Filesize
1024KB
-
Filesize
4.4MB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
5.6MB
-
Filesize
5.6MB